The Biggest Security Breaches of 2017

Despite all the technology and awareness dedicated to cybersecurity, data breaches won’t be slowing down anytime soon. If fact, they’re poised to break last year’s record pace.

According to 24/7 Wall Street, the 758 breaches reported as of June 2017 mark an almost 30% increase from 2016. If cybercriminals keep it up, the total number of attacks could exceed 1,500 by the end of the year.

While there hasn’t been a data breach as big as the infamous Yahoo breach last year, 2017 has had some seriously detrimental breaches.

With that in mind, here’s a chronological look back at the biggest security breaches of 2017 so far.

E-Sports Entertainment Association (ESEA)

Jan. 8, 2017: Starting Dec. 30, 2016, ESEA, one of the largest video gaming communities, discovered a breach and issued a warning to players. Initially it wasn’t known what was stolen or how many people were affected. But breach notification service LeakedSource stated in January that more than 1.5 million ESEA records had been added to its database.

Feb. 1, 2017: Security expert Troy Hunt, of the website Have I Been Pwned?, revealed that Xbox 360 ISO and PSP ISO had been hacked all the way back in September 2015. The websites, both forums that host illegal video game download files, housed sensitive user information that was taken. As a result, 1.2 million Xbox 360 ISO users and 1.3 million PSP ISO users were affected. They could have had their email addresses, IP addresses, usernames, and passwords stolen in the breach.

What’s most disturbing is that it took so long to find out about the hack. According to IdentityForce, it’s because, “There’s often a long lead time between when a breach occurs and the data going public because the hackers are working quietly to see how much money they can make by selling the information. Once it’s served its purpose, they’ll often dump it online on the dark web, and that’s when the public is clued in to what happened.”

Arby’s

Feb. 17, 2017: After being pressed by KrebsOnSecurity, Arby’s finally acknowledged that there was a data breach in select restaurants. Even though the company was notified about the breach in mid-January, the FBI asked it not to go public just yet. Malware was placed on payment systems in about one-third of the company’s 3,000-plus U.S. stores. It’s believed the breach included data from more than 350,000 customer debit and credit cards.

River City Media

March 6, 2017: A group of spammers that was operating under the name River City Media unknowingly released its private data into cyberspace simply because it didn’t configure its backups properly. The leak, known as Spammergate, included Hipchat logs, domain registration records, accounting details, infrastructure planning, production notes, scripts, business affiliations, and more. The biggest discovery, however, was a database containing 1.4 billion email accounts, IP addresses, full names, and even physical addresses.

If there’s a silver lining, it’s that this information was found by one of the “good guys.” Chris Vickery, a security researcher for MacKeeper, happened to be this good guy who reported the breach to the proper authorities.

Dun & Bradstreet

March 15, 2017: Dun & Bradstreet, a business services company, discovered that its marketing database containing more than 33 million corporate contacts was shared online. The firm claims its systems were not breached but that it had sold the 52 GB database to thousands of companies across the country, so no one is sure which of those businesses suffered the breach that ultimately exposed the records.

It’s believed that millions of employees working in the U.S. Department of Defense, the U.S. Postal Service, Walmart, AT&T, and CVS all had information leaked, and it’s possible that the database includes full names, work email addresses, phone numbers, and other business-related data.

Saks Fifth Avenue

March 19, 2017: BuzzFeed discovered that customer information was available in plain text on the Saks Fifth Avenue website through a specific link. The information for tens of thousands of customers could be viewed on a page where customers simply joined a waitlist for the products they were interested in. Even though payment details were not exposed, email addresses, phone numbers, product codes, and IP addresses were visible.

America’s JobLink

March 21, 2017: The names, Social Security numbers, and birthdates of job seekers in Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma, and Vermont were exposed in this breach. According to the Idaho Department of Labor, the breach could have compromised up to 4.8 million accounts nationwide.

The breach can be traced back to Feb. 20 when a hacker apparently created a new account and then exploited a vulnerability to access other job seekers’ information. But the breach wasn’t confirmed until March 21.

FAFSA: IRS Data Retrieval Tool

April 6, 2017: The IRS stated that as many as 100,000 taxpayers may have had their personal information stolen in a scheme that involved the IRS Data Retrieval Tool. This tool is used to complete the Free Application for Federal Student Aid (FAFSA). In March 2017, federal officials observed a potential data breach and subsequently took the tool down.

But the damage was already done. The agency suspects that around 8,000 fraudulent returns were filed and processed at a cost of $30 million. Also, 52,000 returns were stopped by IRS filters, with 14,000 illegal refund claims halted as well.

Schoolzilla

April 12, 2017: Schoolzilla, a California student data warehouse platform, first acknowledged the breach on April 12 in a message on its website that stated: “A well-known computer security researcher was doing a targeted analysis of Schoolzilla when he uncovered a file configuration error.”

The exposed information included the names, addresses, birth dates, and test scores of around 14,000 current and former students in the Palo Alto school district. Most disastrous was that it also exposed more than a million Social Security numbers of other individuals.

InterContinental Hotels Group (IHG)

April 19, 2017: In February, IHG, which owns Candlewood Suites, Holiday Inn, Crowne Plaza, and Kimpton Hotels and Resorts, announced a data breach that was believed to have only involved 12 of its properties in California. In April, however, it was revealed that the breach involved 1,200 properties.

The malware collected data acquired by point-of-sale registers that included the cardholder name, card number, expiration date, and internal verification code. The good news is the malware was eradicated in all locations by the end of March.

Chipotle

April 25, 2017: Chipotle posted a “Notice of Data Security Incident” on its website to inform customers that unauthorized activity had been detected on its network. The company believed payment card transactions that occurred between March 24, 2017, and April 18, 2017, in most of its 2,250 restaurants may have been affected by the theft of account numbers and internal verification codes.

The investigation is still active at the time the notice was published, though the malware has been removed.

Sabre Hospitality Solutions

May 2, 2017: Sabre Hospitality Solutions, a tech company that provides reservation system services for more than 36,000 properties, announced that a breach let hotel customer payment information become compromised. The company shared this information in its quarterly filing report but not did not share when the breach occurred or the affected locations. The breach has reportedly been shut off.

Gmail

May 3, 2017: Gmail users were the target of a highly sophisticated email phishing scam that sought to gain access to accounts via a third-party app. The emails were made to mirror those of a user’s trusted contact and notified users that they wanted to share a Google Doc with them. When the Doc was opened and the user clicked on the link, they were directed to Google’s real security page. It was here that the person was prompted to allow a fake Google Docs app to manage their email account.

Google quickly squashed the scam in roughly one hour, but it estimated that about 1 million users could still have been affected.

Edmodo

May 11, 2017: Education platform Edmodo was breached. The company’s vice president of marketing and communications told Motherboard that the organization had “learned about a potential security incident” and was taking the report “very seriously.”

Meanwhile, a fraudster known as nclay was selling 77 million Edmodo accounts on the dark web for $1,000. LeakBase found the data to include usernames, email addresses, and hashed passwords. However, the passwords were hashed with “robust bcrypt algorithms” and properly salted, which means they were more difficult for cybercriminals to crack.

WannaCry

May 12, 2017: This was a worldwide cyberattack by the ransomware WannaCry that targeted computers running Microsoft Windows by encrypting data and holding the computer hostage until a ransom payment was made.

It started with the U.K.’s health service but eventually affected more than 230,000 computers in over 150 countries, including organizations like FedEx, Nissan, Deutsche Bahn, Telefónica, the University of Montreal, the Ministry of Internal Affairs of the Russian Federation, and the Chinese public security bureau.

DocuSign

May 17, 2017: Users of the popular electronic signature provider DocuSign were the target of malware phishing attacks earlier this year. DocuSign stated that the hackers breached one of its systems, but they only obtained email addresses and no other personal information. The hackers then used the stolen email addresses to launch a malicious email campaign where DocuSign-branded messages were sent to unknowing recipients. They were prompted to click and download the Microsoft Word document that contained malware.

If you believe you received a suspicious DocuSign email, please forward it to spam@docusign.com. And remember, only access documents directly through the DocuSign website, not by clicking on email links.

Molina Healthcare

May 25, 2017: A security flaw was found on the top ACA insurer’s patient portal that allowed anyone to access patient medical claims just by changing a single number in the URL. The exposed records didn’t appear to contain Social Security numbers, but they did include names, addresses, birthdates, diagnoses, medication, and other medically pertinent information that could be used for medical fraud. It’s believed that all patient data was affected for Molina’s 4.8 million customers.

University of Oklahoma

June 14, 2017: The University of Oklahoma’s (OU) student-run newspaper, The Oklahoma Daily, was the first to report an on-campus data breach connected to the university’s document sharing system, Delve. Educational records that dated back to at least 2002 were exposed unintentionally through incorrect privacy settings.

The paper reported that in just 30 of the hundreds of documents made public on Delve, there were more than 29,000 instances where students’ private information was made public to users within OU’s email system. This sensitive information included Social Security numbers, financial aid information, and grades. For now, the file sharing service has been shut down.

Washington State University

June 15, 2017: A hard drive that contained the personal information of approximately 1 million people was stolen from a Washington State University storage unit in Olympia, Wash. Since the hard drive was inside an 85-pound safe, the university doesn’t believe that the individual was able to get inside the safe and steal the hard drive’s data.

The information on the hard drive was part of research the university had conducted for school districts, government offices, and other outside agencies. This information included Social Security numbers and health history. The university sent letters to the individuals who may have been affected and has offered them a free year of credit monitoring to be safe.

Deep Root Analytics

June 20, 2017: The Republican National Committee hired data analytics firm Deep Root Analytics to gather political information about U.S. voters during the 2016 election. Chris Vickery, who we mentioned above, found that the personal information of 198 million citizens that Deep Root Analytics collected was stored on an Amazon cloud server without password protection for almost two weeks in June.

The exposed information included names, dates of birth, home addresses, phone numbers, and voter registration details. Deep Root has since taken full responsibility, updated the access settings, and put protocols in place to prevent any further access.

California Association of Realtors

July 10, 2017: A subsidiary of the California Association of Realtors, the Real Estate Business Services (REBS), was the victim of a data breach between March 13, 2017, and May 15, 2017, after its online payment system was infected with malware. If a user made a payment on the website during that period, personal information could have been copied by the malware and transmitted to an unknown third party. Sensitive data that may have been accessed included the user’s name, address, credit card number, credit card expiration date, and credit card verification code.

The malware has since been removed, and the organization is now using PayPal for payments.

Verizon

July 13, 2017: It’s been reported that around 14 million Verizon subscribers may have been affected by a data breach — if you happened to have contacted Verizon customer service in the first six months of 2017.

These records were held on a server controlled by Israel-based Nice Systems and was discovered by Chris Vickery yet again. Vickery notified Verizon of the data exposure in late June, but it took more than a week to secure the breached data. The data that was obtained was log files generated whenever customers contacted the company on the phone.

Online Spambot

August 30, 2017: Do you recall the River City Media breach? A similar breach happened again to an online spambot. However, the set of stolen data was much larger. Originally, River City Media’s breach was thought to have impacted 1.4 billion people, but it ended up being 393 million records. This online spambot breach reportedly involved 711 million records.

The spambot harvested email addresses and some passwords in order to send spam emails. However, it forgot to secure the server that the data was kept on. It’s unknown how many people have found this database and are currently using the information for their own benefit.

TalentPen and TigerSwan

September 2, 2017: More than 9,000 documents containing the personal information of job seekers with Top Secret clearance became publicly available through an unsecured Amazon server for more than six months. The security firm UpGuard discovered the public files in a folder labeled “resumes” and contacted TigerSwan, the private security firm that owned the files. It was later found that third-party recruiter TalentPen did not take down the files after they were transferred to TigerSwan in February.

Instead, TalentPen left the files on a bucket site on Amazon Web Services without a password, or any type of security for that matter, until Aug. 24, 2017, after Amazon contacted it about the matter. The files have since been taken down.

Equifax

September 7, 2017: Equifax, one of the three largest credit agencies in the U.S., suffered a massive breach that could end up affecting 143 million consumers. Because of the sensitivity of the data stolen, which include Social Security numbers and driver’s license numbers, this may become one of the worst breaches ever.

From mid-May to July, hackers were able to gain access to the company’s system by exploiting a weak point in website software. Equifax discovered the breach on July 29 and brought in outside help from a forensics firm. Other compromised data may include full names, addresses, dates of birth, credit card numbers, and other sensitive personal information.